Use crypto method flags; add tlsv1.0 wrapper; add wrapper tests

Author: rdlowrey

ext/openssl/openssl.c

@@ -1224,6 +1224,7 @@ PHP_MINIT_FUNCTION(openssl)
 	php_stream_xport_register("sslv2", php_openssl_ssl_socket_factory TSRMLS_CC);
 #endif
 	php_stream_xport_register("tls", php_openssl_ssl_socket_factory TSRMLS_CC);
+	php_stream_xport_register("tlsv1.0", php_openssl_ssl_socket_factory TSRMLS_CC);
 #if OPENSSL_VERSION_NUMBER >= 0x10001001L
 	php_stream_xport_register("tlsv1.1", php_openssl_ssl_socket_factory TSRMLS_CC);
 	php_stream_xport_register("tlsv1.2", php_openssl_ssl_socket_factory TSRMLS_CC);
@@ -1269,6 +1270,7 @@ PHP_MSHUTDOWN_FUNCTION(openssl)
 #endif
 	php_stream_xport_unregister("sslv3" TSRMLS_CC);
 	php_stream_xport_unregister("tls" TSRMLS_CC);
+	php_stream_xport_unregister("tlsv1.0" TSRMLS_CC);
 #if OPENSSL_VERSION_NUMBER >= 0x10001001L
 	php_stream_xport_unregister("tlsv1.1" TSRMLS_CC);
 	php_stream_xport_unregister("tlsv1.2" TSRMLS_CC);

ext/openssl/tests/stream_crypto_flags_001.phpt

@@ -0,0 +1,58 @@
+--TEST--
+Basic bitwise stream crypto context flag assignment
+--SKIPIF--
+<?php
+if (!extension_loaded("openssl")) die("skip");
+if (!function_exists('pcntl_fork')) die("skip no fork");
+--FILE--
+<?php
+$flags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
+$ctx = stream_context_create(['ssl' => [
+    'local_cert' => __DIR__ . '/bug54992.pem',
+    'allow_self_signed' => true
+]]);
+$server = stream_socket_server('ssl://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
+var_dump($server);
+
+$pid = pcntl_fork();
+if ($pid == -1) {
+    die('could not fork');
+} else if ($pid) {
+
+    // Base SSL context values
+    $sslCtxVars = array(
+        'verify_peer' => TRUE,
+        'cafile' => __DIR__ . '/bug54992-ca.pem',
+        'CN_match' => 'bug54992.local', // common name from the server's "local_cert" PEM file
+    );
+
+    // SSLv3
+    $ctxCopy = $sslCtxVars;
+    $ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_SSLv3_CLIENT;
+    $ctx = stream_context_create(array('ssl' => $ctxCopy));
+    var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));
+
+    // TLSv1
+    $ctxCopy = $sslCtxVars;
+    $ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT;
+    $ctx = stream_context_create(array('ssl' => $ctxCopy));
+    var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));
+
+    // TLS (any)
+    $ctxCopy = $sslCtxVars;
+    $ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLS_CLIENT;
+    $ctx = stream_context_create(array('ssl' => $ctxCopy));
+    var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));
+
+} else {
+    @pcntl_wait($status);
+    @stream_socket_accept($server, 1);
+    @stream_socket_accept($server, 1);
+    @stream_socket_accept($server, 1);
+}
+--EXPECTF--
+resource(%d) of type (stream)
+resource(%d) of type (stream)
+resource(%d) of type (stream)
+resource(%d) of type (stream)
+

ext/openssl/tests/stream_crypto_flags_002.phpt

@@ -0,0 +1,67 @@
+--TEST--
+TLSv1.1 and TLSv1.2 bitwise stream crypto flag assignment
+--SKIPIF--
+<?php
+if (!extension_loaded("openssl")) die("skip");
+if (!function_exists('pcntl_fork')) die("skip no fork");
+if (OPENSSL_VERSION_NUMBER < 0x10001001) die("skip OpenSSLv1.0.1 required");
+--FILE--
+<?php
+$flags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
+$ctx = stream_context_create(['ssl' => [
+    'local_cert' => __DIR__ . '/bug54992.pem',
+    'allow_self_signed' => true
+]]);
+$server = stream_socket_server('ssl://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
+var_dump($server);
+
+$pid = pcntl_fork();
+if ($pid == -1) {
+    die('could not fork');
+} else if ($pid) {
+
+    // Base SSL context values
+    $sslCtxVars = array(
+        'verify_peer' => TRUE,
+        'cafile' => __DIR__ . '/bug54992-ca.pem',
+        'CN_match' => 'bug54992.local', // common name from the server's "local_cert" PEM file
+    );
+
+    // TLSv1
+    $ctxCopy = $sslCtxVars;
+    $ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT;
+    $ctx = stream_context_create(array('ssl' => $ctxCopy));
+    var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));
+
+    // TLSv1.1
+    $ctxCopy = $sslCtxVars;
+    $ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT;
+    $ctx = stream_context_create(array('ssl' => $ctxCopy));
+    var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));
+
+    // TLSv1.2
+    $ctxCopy = $sslCtxVars;
+    $ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT;
+    $ctx = stream_context_create(array('ssl' => $ctxCopy));
+    var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));
+
+    // TLS (any)
+    $ctxCopy = $sslCtxVars;
+    $ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLS_CLIENT;
+    $ctx = stream_context_create(array('ssl' => $ctxCopy));
+    var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));
+
+} else {
+    @pcntl_wait($status);
+    @stream_socket_accept($server, 1);
+    @stream_socket_accept($server, 1);
+    @stream_socket_accept($server, 1);
+    @stream_socket_accept($server, 1);
+}
+--EXPECTF--
+resource(%d) of type (stream)
+resource(%d) of type (stream)
+resource(%d) of type (stream)
+resource(%d) of type (stream)
+resource(%d) of type (stream)
+

ext/openssl/tests/stream_crypto_flags_003.phpt

@@ -0,0 +1,68 @@
+--TEST--
+Server bitwise stream crypto flag assignment
+--SKIPIF--
+<?php
+if (!extension_loaded("openssl")) die("skip");
+if (!function_exists('pcntl_fork')) die("skip no fork");
+if (OPENSSL_VERSION_NUMBER < 0x10001001) die("skip OpenSSLv1.0.1 required");
+--FILE--
+<?php
+$flags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
+$ctx = stream_context_create(['ssl' => [
+    'local_cert' => __DIR__ . '/bug54992.pem',
+    'allow_self_signed' => true,
+    
+    // Only accept SSLv3 and TLSv1.2 connections
+    'crypto_method' => STREAM_CRYPTO_METHOD_SSLv3_SERVER  | STREAM_CRYPTO_METHOD_TLSv1_2_SERVER 
+]]);
+$server = stream_socket_server('ssl://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
+var_dump($server);
+
+$pid = pcntl_fork();
+if ($pid == -1) {
+    die('could not fork');
+} else if ($pid) {
+
+    // Base SSL context values
+    $sslCtxVars = array(
+        'verify_peer' => TRUE,
+        'cafile' => __DIR__ . '/bug54992-ca.pem',
+        'CN_match' => 'bug54992.local', // common name from the server's "local_cert" PEM file
+    );
+
+    // TLSv1.2
+    $ctxCopy = $sslCtxVars;
+    $ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT;
+    $ctx = stream_context_create(array('ssl' => $ctxCopy));
+    var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));
+
+    // SSLv3
+    $ctxCopy = $sslCtxVars;
+    $ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_SSLv3_CLIENT;
+    $ctx = stream_context_create(array('ssl' => $ctxCopy));
+    var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));
+    
+    // TLSv1 (should fail)
+    $ctxCopy = $sslCtxVars;
+    $ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT;
+    $ctx = stream_context_create(array('ssl' => $ctxCopy));
+    var_dump(@stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));
+    
+    // TLSv1.1 (should fail)
+    $ctxCopy = $sslCtxVars;
+    $ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT;
+    $ctx = stream_context_create(array('ssl' => $ctxCopy));
+    var_dump(@stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));
+
+} else {
+    @pcntl_wait($status);
+    @stream_socket_accept($server, 1);
+    @stream_socket_accept($server, 1);
+}
+--EXPECTF--
+resource(%d) of type (stream)
+resource(%d) of type (stream)
+resource(%d) of type (stream)
+bool(false)
+bool(false)
+

ext/openssl/tests/stream_crypto_flags_005.phpt

@@ -0,0 +1,67 @@
+--TEST--
+Specific protocol method specification
+--SKIPIF--
+<?php
+if (!extension_loaded("openssl")) die("skip");
+if (!function_exists('pcntl_fork')) die("skip no fork");
+--FILE--
+<?php
+$flags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
+$ctx = stream_context_create(['ssl' => [
+    'local_cert' => __DIR__ . '/bug54992.pem',
+    'allow_self_signed' => true,
+    'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_0_SERVER
+]]);
+
+$server = stream_socket_server('ssl://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
+var_dump($server);
+
+$pid = pcntl_fork();
+if ($pid == -1) {
+    die('could not fork');
+} else if ($pid) {
+
+    // Base SSL context values
+    $sslCtxVars = array(
+        'verify_peer' => FALSE,
+        'cafile' => __DIR__ . '/bug54992-ca.pem',
+        'CN_match' => 'bug54992.local', // common name from the server's "local_cert" PEM file
+    );
+
+    // Should fail because the SSLv23 hello method is not supported
+    $ctxCopy = $sslCtxVars;
+    $ctx = stream_context_create(array('ssl' => $ctxCopy));
+    var_dump(@stream_socket_client("ssl://127.0.0.1:64321"));
+    
+    // Should fail because the TLSv1.1 hello method is not supported
+    $ctxCopy = $sslCtxVars;
+    $ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT;
+    $ctx = stream_context_create(array('ssl' => $ctxCopy));
+    var_dump(@stream_socket_client("ssl://127.0.0.1:64321"));
+    
+    // Should fail because the TLSv1.2 hello method is not supported
+    $ctxCopy = $sslCtxVars;
+    $ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT;
+    $ctx = stream_context_create(array('ssl' => $ctxCopy));
+    var_dump(@stream_socket_client("ssl://127.0.0.1:64321"));
+
+    // Should succeed because we use the same TLSv1 hello
+    $ctxCopy = $sslCtxVars;
+    $ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT;
+    $ctx = stream_context_create(array('ssl' => $ctxCopy));
+    var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $ctx));
+
+} else {
+    @pcntl_wait($status);
+    @stream_socket_accept($server, 1);
+    @stream_socket_accept($server, 1);
+    @stream_socket_accept($server, 1);
+    @stream_socket_accept($server, 1);
+}
+--EXPECTF--
+resource(%d) of type (stream)
+bool(false)
+bool(false)
+bool(false)
+resource(%d) of type (stream)
+

ext/openssl/tests/streams_crypto_method.phpt

@@ -56,4 +56,3 @@ EOS;
 ?>
 --EXPECTF--
 Hello World!
-

ext/openssl/tests/tlsv1.0_wrapper.phpt

@@ -0,0 +1,47 @@
+--TEST--
+tlsv1.0 stream wrapper
+--SKIPIF--
+<?php 
+if (!extension_loaded("openssl")) die("skip");
+if (OPENSSL_VERSION_NUMBER < 0x10001001) die("skip OpenSSL 1.0.1 required");
+if (!function_exists('pcntl_fork')) die("skip no fork");
+--FILE--
+<?php
+$flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
+$ctx = stream_context_create(array('ssl' => array(
+	'local_cert' => __DIR__ . '/streams_crypto_method.pem',
+)));
+
+$server = stream_socket_server('tlsv1.0://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
+var_dump($server);
+
+$pid = pcntl_fork();
+if ($pid == -1) {
+	die('could not fork');
+} elseif ($pid) {
+	$flags = STREAM_CLIENT_CONNECT;
+	$ctx = stream_context_create(array('ssl' => array(
+		'verify_peer' => false,
+		'verify_host' => false
+	)));
+
+	$client = stream_socket_client("tlsv1.0://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
+	var_dump($client);
+
+	$client = @stream_socket_client("sslv3://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
+	var_dump($client);
+
+	$client = @stream_socket_client("tlsv1.2://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
+	var_dump($client);
+
+} else {	
+	@pcntl_wait($status);
+	for ($i=0; $i < 3; $i++) {
+		@stream_socket_accept($server, 1);
+	}
+}
+--EXPECTF--
+resource(%d) of type (stream)
+resource(%d) of type (stream)
+bool(false)
+bool(false)

ext/openssl/tests/tlsv1.1_wrapper.phpt

@@ -0,0 +1,47 @@
+--TEST--
+tlsv1.1 stream wrapper
+--SKIPIF--
+<?php 
+if (!extension_loaded("openssl")) die("skip");
+if (OPENSSL_VERSION_NUMBER < 0x10001001) die("skip OpenSSL 1.0.1 required");
+if (!function_exists('pcntl_fork')) die("skip no fork");
+--FILE--
+<?php
+$flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
+$ctx = stream_context_create(array('ssl' => array(
+	'local_cert' => __DIR__ . '/streams_crypto_method.pem',
+)));
+
+$server = stream_socket_server('tlsv1.1://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
+var_dump($server);
+
+$pid = pcntl_fork();
+if ($pid == -1) {
+	die('could not fork');
+} elseif ($pid) {
+	$flags = STREAM_CLIENT_CONNECT;
+	$ctx = stream_context_create(array('ssl' => array(
+		'verify_peer' => false,
+		'verify_host' => false
+	)));
+	
+	$client = stream_socket_client("tlsv1.1://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
+	var_dump($client);
+	
+	$client = @stream_socket_client("sslv3://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
+	var_dump($client);
+	
+	$client = @stream_socket_client("tlsv1.2://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
+	var_dump($client);
+	
+} else {	
+	@pcntl_wait($status);
+	for ($i=0; $i < 3; $i++) {
+		@stream_socket_accept($server, 1);
+	}
+}
+--EXPECTF--
+resource(%d) of type (stream)
+resource(%d) of type (stream)
+bool(false)
+bool(false)